Reddit Attacked by XSS Exploit - Update

The Reddit social news aggregator was reportedly the subject of a cross site scripting attack where just hovering over a comment message could cause a logged in user to post rogue comments. The XSS attack appears to exploit a vulnerability which allows JavaScript code to be inserted into Reddit comments. According to a thread on Reddit, a user named Empirical created some JavaScript code which, if copied and pasted into the address bar, would reply to all the comments on a Reddit page, while another user named "xssfinder" created a proof of concept which could run JavaScript code by hovering over a comment. Xssfinder then decided to combine the two pieces of code and tested it in a sub-Reddit called "proofofhax". From there, the XSS exploit spread over Reddit.

F-Secure reports that the Reddit administrators closed the holes which allowed the attack to happen, and contrary to some reports, the system was not taken down for any length of time. The administrators have also been deleting comments generated by the XSS attack.

With social network XSS attacks, it is often the case that one attack is followed by a slightly different variant in a few days, and therefore it may be advisable to disable JavaScript when accessing Reddit using a Firefox extension like NoScript. Users who already use NoScript should check that Reddit is not on the white list of sites allowed to execute JavaScript code.

Update - The Reddit developers have now described the problems and vulnerabilities in a blog posting. The problems occurred in the open source markdown library that Reddit uses; the developers had not disabled variable expansion and there was an issue with MD5 and the double escaping of certain characters. Taken together the two problems allowed the JavaScript exploit described. The developers included a link in their blog post to the patch they have made to the library.

(djwm)